Document, Data Security: Internal Controls, Data Governance, and Measuring & Managing Risk In my first article (November) of the Document, Data Security: “Turning Risks Into Opportunities” series, the initial goal was to bring high level awareness to the threats and opportunities that you and your customers face when it comes to protecting their and your most valuable asset, information. Having looked at the high level risks and market opportunities in the first article, this month’s article will focus on three key areas (listed below) that individual organizations and their leaders (Public, Private, Government, Educational, and Non-Profit) are all responsible for with the objective of one important outcome: focusing on People, Processes and Technology ultimately creating a Control Conscience Corporate Culture™ (4 C’s). Also, then looking at creating a strategy that is highly effective, scalable and sustainable consistently creating strong value (financial, services and solutions) for its shareholders and/or constituents. Anything that impedes an organization from doing so negatively impacts the value that it provides. 1. Internal Controls 2. Data Governance 3. Measuring and Managing Risk So why is all of this so important? Simply put, it is about value! An organization’s value is built on its ability to provide services and/or solutions to its customers/constituents. If it is a for-profit organization then it also must create an acceptable financial return to its shareholders whether that be public or private. You can ask how does this impact my business and why should I spend any time or resources worrying about this? The reality is that you are already in the middle of it every day through handling documents, selling equipment that prints, copies, scans and stores data, selling software or solutions (that impact business processes, document or file transfer, and/or data storage) managing print services or other environments, accessing equipment to service it. So the real question is how are you going to let it impact you and your customers and your financial results? There are four outside entities that have strong influence on how organizations go about providing that return: Government/Regulatory, Auditors/Accountants, Law Firms and Insurance Providers (ironically they are also subject to these same issues and requirements, so they are potential customers as well). Historically, the focus of these outside entities has been on the financial reporting and systems of organizations. With the advancement of technology, regulatory changes (i.e. Sarbanes Oxley, Regulation Fair Disclosure, HIPAA, Breach Notification, Data Privacy, etc.,) global expansion and cultural changes, the number of data breaches, leaks and identity thefts occurring and being identified has expanded exponentially. These issues are creating significantly negative financial, customer relations and brand impacts on organizations. With that, the effect of these data events on earnings for organizations and ultimately their value as a public or private organization can be catastrophic. There are important phrases that need to be recognized as major red flags. Fortunately, by recognizing a few key phrases, readers will be alerted to some very important information that will help avoid operational, legal and financial mistakes as well as allow you to talk with your customers at all levels of the organization. Focus on making the buying decisions strategic, not operational. Three of these key phrases are listed below; it is very important to understand failing to protect important data can trigger any one or combination of these events: • Material Adverse Effect – is a significant event that may negatively affect an organizations (profit or non-profit) stock price, value or operations. A material adverse effect usually signals a severe decline in profitability and/or the possibility that the company’s operations and/or financial position may be seriously compromised. • Material Weakness – a material weakness is a deficiency, or a combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected on a timely basis. • Significant Deficiency – a significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. So where does an organization start to build a Control Conscience Corporate Culture™ (4 C’s)? It must start with Tone at the Top (a phrase well known to auditors, accountants, boards, executives, attorneys as it is directly referenced in Sarbanes Oxley) – it refers to how an organization’s leadership creates an ethical (or unethical) atmosphere in the workplace. Board and management’s tone has a trickle-down effect on employees and partners. If boards and top managers uphold ethics and integrity so will employees and partners. But if boards and upper management appear unconcerned with ethics and focuses solely on the bottom line, employees and partners will be more prone to lack of discipline, feel that ethical conduct isn’t a priority and even go as far as committing fraud. In short, people will follow the examples of their leaders and managers. From there, the organization must develop a strategy that exceeds a Standard of Care (a legal term well know again by auditors, accountants, boards, executives and attorneys) - the watchfulness, attention, caution and prudence that a reasonable person in the circumstances would exercise. If a person’s actions do not meet this standard of care, then his/her acts fail to meet the duty of care which all people (supposedly) have toward others. Failure to meet the standard is negligence, and any damages resulting therefrom may be claimed in a lawsuit by the injured party. One challenge is that the “standard” is often a subjective issue upon which reasonable people can differ and certainly leaving that up to a jury can be very expensive. Next, the focus needs to be put on identifying key components of Internal Controls, Data Governance and Measuring & Managing Risk with an emphasis on safeguarding the organization’s assets and resources, the most important being its information.    Internal Controls - Under the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control-Integrated Framework, widely-used in the United States and globally, internal control is broadly defined as a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: a) Effectiveness and efficiency of operations; b) Reliability of financial reporting; and c) Compliance with laws and regulations. COSO defines internal control as having five components: • Control Environment—sets the tone for the organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control. • Risk Assessment—the identification and analysis of relevant risks to the achievement of objectives, forming a basis for how the risks should be managed. • Information and Communication—systems or processes that support the identification, capture, and exchange of information in a form and time-frame that enables people to carry out their responsibilities. • Control Activities—the policies and procedures that help ensure management directives are carried out. • Monitoring—processes used to assess the quality of internal control performance over time. Data Governance - The Data Governance Institute’s definition in its simplest terms is this, “Data Governance is the exercise of decision making and authority for data-related matters.” In more detail, “it is a system of decision rights and accountabilities for information-related processes, executed according to agreed-upon models which describe who can take what actions with what information, and when, under what circumstances, using what methods.” When you reference governance, be sensitive to depending on context, “Data Governance” could refer to: • Organizational structure • Guidelines, business rules, policies and standards • How they “decide how to decide” • Accountability • Methods and metrics for people and information systems as they perform information-related processes. Measuring & Managing Risk – What works and what doesn’t work? Over twenty years ago Morgan Henrion wrote about the 10 Golden Rules of Risk Analysis: 1. Do your homework with literature, experts and users. 2. Let the problem drive the analysis. 3. Make the analysis as simple as possible, but not simpler. 4. Identify all significant assumptions. 5. Be explicit about decision criteria and policy strategies. 6. Be explicit about uncertainties. 7. Perform systematic sensitivity and uncertainty analysis. 8. Iteratively refine the problem statement and analysis. 9. Document clearly and completely. 10. Expose to peer review. Going forward, I will start to outline how to approach a data and document security review with the intent to develop internal threat analysis plans as well as identifying key policies and procedures. However, remember it all begins with people and culture. The more you can create employee awareness, recruiting and succession plans, employee responsibility policies and data security training the better chance you have of developing the desired culture. Followed with process and technology gap analysis and solutions, and you have the opportunity to be the subject matter expert for your customers, expanding your relationship to a strategic level and the ability to develop a very lucrative document, data security practice that compliments and extends your core business. David Anastasi is the CEO of eDocument Sciences LLC. Prior to eDocument Sciences, he served as President & CEO of Captaris, Inc. acquired by OpenText in October 2008. He is also currently a Board Member of Onehub, Inc. eDocument Sciences partners with public, private, educational and government organizations securing their most important asset, mission-critical data. They assist in the development and management of Data Governance programs that focus on People, Processes, and Technology. They deliver results by matching technology, distribution and services companies focused on data security with each other, distribution partners and customers. Their focus is on delivering highly secure environments increasing productivity, scalability, and ultimately higher value. For more info, contact David Anastasi via email: danastasi@edocumentsciences.com or visit www.edocumentsciences.com.